potential disclaimer for the transport draft.

To: ietf-ssh%netbsd.org@localhost
Subject: potential disclaimer for the transport draft.
From: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Date: Mon, 18 Mar 2002 10:20:40 -0500

[wg chair hat off]

I took the liberty of drafting a possible disclaimer for the CBC
attack.  Please send substantive comments regarding this text to this
list.

					- Bill

NOTE:

Nearly all ciphers specified in this document are used in cipher block
chaining (CBC) mode. It's been known for some time that CBC modes will
reveal information about the plaintext if two ciphertext blocks
encrypted under the same key are equal; this is one of the reasons
this document strongly recommends rekeying at least once per gigabyte
of data, to reduce the chance that a "birthday paradox" collision will
appear.

Recent research has uncovered a new attack on CBC mode which, under
certain conditions, allows a chosen plaintext attacker aware of the IV
for a forthcoming message to have some chance to artificially induce a
system into generating ciphertext collisions, allowing the attacker's
guesses at likely prior plaintexts to be confirmed.

Any protocol which uses CBC in a way which allows advance knowledge of
a message's IV (e.g., by using the last block of the preceding message
as the IV) might be vulnerable to this attack.

Preliminary analysis of this attack as applied to the SSH protocol
suggests that the protocol is actually fairly resistant to this
attack; while estimates vary, it appears that, on average, an attacker
would have to inject tens or hundreds of millions of chosen plaintexts
to confirm guesses on the value of a few unknown plaintexts.
	
While this attack involves less work than a brute-force attack on the
underlying cipher (and is thus a matter of some concern), it is also
likely to be significantly more difficult than attacks on other parts
of a system using the SSH protocol, and so is unlikely to be an
immediate risk to real-world systems.  Due to this document's
recommendation that rekeying occur once an hour, an attacker also has
a limited amount of time to complete any particular attack.

Nevertheless, work is underway to specify, in a separate document or
documents, additional cipher modes for the SSH protocol to address
this vulnerability.  Implementors should be prepared to add new
algorithms to their implementations as this work progresses.

Follow-Ups:
- Re: potential disclaimer for the transport draft.
  - From: Wei Dai

Prev by Date: Re: a more detailed analysis of "known IV" vulnerability.
Next by Date: Re: potential disclaimer for the transport draft.
Previous by Thread: send me agenda items for Monday's meeting..
Next by Thread: Re: potential disclaimer for the transport draft.
Indexes:

Home | Main Index | Thread Index | Old Index